The present invention relates to the field of computer security, and more particularly, to protecting computers against the installation or execution of unauthorized software. Unauthorized software applications can include self-propagating software applications, such as computer viruses, trojans, and worms; software intended to commercially exploit users, such as spyware or adware; malicious software or malware; surveillance applications such keyloggers, screen capturing programs, and web tracking programs; and software intended to conceal its own existence and/or the existence of other applications, such as rootkits; as well as any other type of software application, script, macro, or other executable instructions intended to operate on a computer system without the permission of the computer user and/or a system administrator.
One approach to protecting against the execution of unauthorized or malicious software on a computer is to scan the computer periodically for the presence of such software, in memory and on disk. If unauthorized software is found, the software can be removed. There are several problems with this approach. Performing the scan can take a significant amount of system resources (e.g., CPU cycles, disk accesses), even when done in the background. This leads some users to avoid the procedure. Yet to have maximum effect, the scan should be performed frequently. Furthermore, the scan only detects unauthorized software that is already present on the computer. Therefore, unauthorized software may have already caused inconvenience or damage by the time it is detected and removed.
A different approach is to prevent unauthorized software from installing on the computer in the first place. This approach uses security features provided by the operating system. A system administrator can create and deploy software restrictions that prevent unauthorized software from installing, executing, or accessing computer resources.
Existing solutions using this approach require system administrators to gather information about unauthorized software, and to use this information to create software restrictions that protect against the software. Previously, the process used to create and update software restrictions requires the system administrators to manually input information about the unauthorized software. This manual process is inefficient and time-consuming. In some cases, the system administrator must actually have a copy of the software application to create an effective software restriction -that blocks this software application. Thus, system administrators are often reacting to unauthorized software applications (and repairing the damage wrought by these applications), rather than preventing them from being executed in the first place. Moreover, the creators of unauthorized software may change these software applications frequently to produce many variants to bypass detection and previous software restrictions. As a result, existing approaches require system administrators to be constantly creating and updating software restrictions to protect against each variant.
It is therefore desirable for a system and method to automatically generate inoculation data to implement software restrictions that prevent authorized software applications from executing and/or accessing system resources. It is further desirable that the system and method to readily deploy inoculation data to managed computer systems to facilitate software restrictions in response to new or frequently changed unauthorized software applications. It is further desirable that the system and method disable countermeasures and defensive mechanisms of unauthorized software applications to facilitate their removal. It is also desirable for the system and method to implement preventative software restrictions against unauthorized software applications prior to any appearance of the applications on any managed computers.